ISN 2023-29: Chromium Vulnerabilities

First published 9 November 2023

CVSS 3.1: 8.8 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been discovered in the Chromium web browser which is used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

Chromium has been found to contain an inappropriate implementation in the Payments component that allows a remote attacker to bypass XSS preventions via a malicious file. This is tracked as CVE-2023-5480 and rated as high. In Chromium’s USB component insufficient data validation (CVE-2023-5482, high) could allow out of bounds memory access via a crafted HTML page. Additionally, an integer overflow has been reported in USB that could be used to exploit heap corruption via a crafted web page (CVE-2023-5849, high).

Update Instructions

• OS 12: IGEL is preparing an updated OS 12 Chromium app.
• OS 11: IGEL is preparing an updated OS 11 version with an updated Chromium.

References

• CVE-2023-5480: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5480
• CVE-2023-5482: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5482
• CVE-2023-5849: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5849